PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
20,823 Commits 17 Branches 0 Tags 42 MiB
d181604ce1
Commit Graph

20823 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Luke Huang
3b52b0f17a Merge "Clean sepolicy of unused netd_socket" into qt-dev 
am: dc4dc55784

Change-Id: I396104eedf91564d186c408dac4dd637e23a240d
 2019-05-09 23:11:01 -07:00
Marco Nelissen
52bcfdf5a0 Merge "Remove unneeded permissions" into qt-dev 
am: 2b34e6ad9f

Change-Id: I74362a13fe68a37f30fafe53e606b8eb99e812e9
 2019-05-09 23:10:28 -07:00
Maciej enczykowski
c8802b80bf [automerger skipped] dontaudit su unlabeled:vsock_socket * 
am: 63067284f1 -s ours
am skip reason: change_id I3bd1b2262dc6dcb099403d24611db66aac9aecb0 with SHA1 ae68bf23b6 is in history

Change-Id: I177f0150b4d4ba19841a19fee6d8f15a49cd7fc3
 2019-05-09 23:10:00 -07:00
Maciej enczykowski
3fc9a4e149 [automerger skipped] dnsmasq - allow getattr on unix stream sockets 
am: 5a56156bcc -s ours
am skip reason: change_id I5af4d01e17f2d37335f523a49c7b1f81886edfa2 with SHA1 210cdc6fa4 is in history

Change-Id: I97fb79ff555ecffdef5f8e88e4022e076083f7f8
 2019-05-09 23:09:41 -07:00
Maciej Żenczykowski
7c40e0bb6e selinux - netd - tighten down bpf policy 
bpf programs/maps are now loaded by the bpfloader, not netd

Test: built/installed on crosshatch which uses eBPF - no avc denials

Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
Merged-In: I1ebd82e6730d62d1966da3c4634ecd78ce703543
(cherry picked from commit 487fcb87c0)
 2019-05-10 05:52:30 +00:00
Tri Vo
6c4f6d0f5a Merge "priv_app: suppress denials to proc_net" 2019-05-10 05:35:19 +00:00
Maciej Żenczykowski
24dd16b650 selinux - remove clatd tun creation privs 
No longer needed, since this is now done by netd.

In a separate commit so it can potentially not be backported to Q
if we so desire.

Test: build/installed on crosshatch with netd/clatd changes,
  and observed functioning ipv4 on ipv6 only network with no
  avc denials

Bug: 65674744
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
Merged-In: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
(cherry picked from commit 3e41b297d2)
 2019-05-10 05:13:44 +00:00
Xin Li
0262dc3710 [automerger skipped] Merge "DO NOT MERGE - Merge Pie Bonito/Sargo into master." am: f4c31d3f14 -s ours 
am: 20b1e98c3c -s ours
am skip reason: subject contains skip directive

Change-Id: I899bdd20475bf8b6a6670402d50a9beee67d0aa7
 2019-05-09 21:53:33 -07:00
TreeHugger Robot
dc4dc55784 Merge "Clean sepolicy of unused netd_socket" into qt-dev 2019-05-10 03:15:56 +00:00
Xin Li
20b1e98c3c [automerger skipped] Merge "DO NOT MERGE - Merge Pie Bonito/Sargo into master." 
am: f4c31d3f14 -s ours
am skip reason: subject contains skip directive

Change-Id: I161d19915c84f455eb50137cb962fecfd00e1277
 2019-05-09 19:53:59 -07:00
Nicolas Geoffray
db3fde05b5 Allow system server to lock system files. 
ART generically locks profile files, and this avoids
special casing the ART code for read-only partitions.

An example on how ART does it:
https://android-review.googlesource.com/c/platform/art/+/958222/3/runtime/jit/jit.cc#731

Bug: 119800099
Test: system server locking a system file, no denial
Change-Id: I4339f19af999d43e07995ddb77478a2384bbe209
 2019-05-10 03:00:18 +01:00
Marco Nelissen
2b34e6ad9f Merge "Remove unneeded permissions" into qt-dev 2019-05-10 01:45:29 +00:00
Maciej enczykowski
1749e15016 [automerger skipped] selinux - allow dnsmasq to getattr on fifos 
am: 9bb7844efa -s ours
am skip reason: change_id Ieab51aeb67ebb85b6c778410ba96963612277ae4 with SHA1 afa10f7223 is in history

Change-Id: Ie31a3810a21ee64be15310e62ecbec3da2f3abb8
 2019-05-09 18:09:16 -07:00
Maciej Żenczykowski
63067284f1 dontaudit su unlabeled:vsock_socket * 
Fix for:
  type=1400 audit(): avc: denied { getopt } for comm=73657276657220736F636B6574 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { setopt } for comm=73657276657220736F636B6574 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { read } for comm="adbd" scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { write } for comm="adbd" scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket

Test: now less audit warnings!
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3bd1b2262dc6dcb099403d24611db66aac9aecb0
Merged-In: I3bd1b2262dc6dcb099403d24611db66aac9aecb0
(cherry picked from commit ae68bf23b6)
 2019-05-10 00:52:45 +00:00
Maciej Żenczykowski
5a56156bcc dnsmasq - allow getattr on unix stream sockets 
Fix for:
  type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="socket:[25224]" dev="sockfs" ino=25224 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket permissive=0 b/77868789

Test: built and observed no more avc denials on aosp blueline

Bug: 77868789
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5af4d01e17f2d37335f523a49c7b1f81886edfa2
Merged-In: I5af4d01e17f2d37335f523a49c7b1f81886edfa2
(cherry picked from commit 210cdc6fa4)
 2019-05-10 00:52:12 +00:00
Maciej Żenczykowski
9bb7844efa selinux - allow dnsmasq to getattr on fifos 
This is presumably libc isatty detection on stdin/out/err.
Either way - allowing it is harmless.

This fixes:
  type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="pipe:[38315]" dev="pipefs" ino=38315 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file permissive=0

Test: built and observed no more avc denials on crosshatch

Bug: 77868789
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ieab51aeb67ebb85b6c778410ba96963612277ae4
Merged-In: Ieab51aeb67ebb85b6c778410ba96963612277ae4
(cherry picked from commit afa10f7223)
 2019-05-10 00:51:42 +00:00
Android Build Merger (Role)
5cb090d977 Merge "[automerger skipped] DO NOT MERGE - Merge Pie Bonito/Sargo into master. am: 199072d2be -s ours am: 1691a7b80e -s ours am skip reason: subject contains skip directive" into qt-dev-plus-aosp 2019-05-10 00:49:57 +00:00
Joel Galenson
68ec29c861 Dontaudit unneeded denials. 
am: 654ceeb93f

Change-Id: I32074b390e6044a8aebc8fbb239a5b51bfe2559a
 2019-05-09 17:39:28 -07:00
Xin Li
3eb30aa7d2 [automerger skipped] DO NOT MERGE - Merge Pie Bonito/Sargo into master. am: 199072d2be -s ours 
am: 1691a7b80e -s ours
am skip reason: subject contains skip directive

Change-Id: I2c6a86af0b868ccac2a97fe1ace5a3cd5f8921d0
 2019-05-09 17:30:38 -07:00
Xin Li
1691a7b80e [automerger skipped] DO NOT MERGE - Merge Pie Bonito/Sargo into master. 
am: 199072d2be -s ours
am skip reason: subject contains skip directive

Change-Id: Ic2613a41f0bdd2ec1865668ac22bde12fa5ad83f
 2019-05-09 16:16:13 -07:00
Tri Vo
e319c03673 priv_app: suppress denials to proc_net 
avc: denied { read } for comm="UserFacing3" name="arp" dev="proc"
ino=4026532043 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
app=com.google.android.googlequicksearchbox

Bug: 132376360
Test: m selinux_policy
Change-Id: I6ebe8b6806268f31885026a81ebea0ed15b532d2
 2019-05-09 16:14:45 -07:00
Marco Nelissen
ba258f0ec0 Remove unneeded permissions 
Media component update service is removed, so selinux
permissions for it are no longer needed.

Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
 2019-05-09 22:19:33 +00:00
Xin Li
f4c31d3f14 Merge "DO NOT MERGE - Merge Pie Bonito/Sargo into master." 2019-05-09 22:05:51 +00:00
Joel Galenson
654ceeb93f Dontaudit unneeded denials. 
These denials are intermittent and unnecessary.  Hide them while we
investigate how to properly fix the issue.

Bug: 131096543
Bug: 132093726
Test: Build
Change-Id: I1950c10a93d183c19c510f869419fcfccd5006d2
 2019-05-09 10:43:59 -07:00
Xin Li
199072d2be DO NOT MERGE - Merge Pie Bonito/Sargo into master. 
Bug: 131756210
Change-Id: I671e7465545522755b090018c4d9941c72b15008
 2019-05-09 09:27:07 -07:00
Maciej Żenczykowski
6e4758f6df Merge "selinux - remove clatd tun creation privs" am: fbae4d9b35 
am: 4fbd081176

Change-Id: I7af021708896a47a7195526a2469c2074d4e4c42
 2019-05-08 19:34:52 -07:00
Maciej Żenczykowski
4fbd081176 Merge "selinux - remove clatd tun creation privs" 
am: fbae4d9b35

Change-Id: I63513697bae391f5a4226e964f8d403822998ce9
 2019-05-08 18:43:25 -07:00
Hridya Valsaraju
6f79d8e335 [automerger skipped] Merge "Move ro.boot.dynamic_partitions to vendor" into qt-dev 
am: 24c34d9379 -s ours
am skip reason: change_id Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51 with SHA1 033177893f is in history

Change-Id: I314c22213119cf0ab158af75d4efce2c5ac8f8a4
 2019-05-08 17:35:41 -07:00
Hridya Valsaraju
511d8c97dc [automerger skipped] Move ro.boot.dynamic_partitions to vendor 
am: 033177893f -s ours
am skip reason: change_id Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51 with SHA1 761ce69a25 is in history

Change-Id: I800bd3f4dd594b9b7019e3439f57b6219330a3bc
 2019-05-08 17:34:30 -07:00
Stephen Hines
5c081803fc Ensure avrule is initialized. 
Bug: http://b/131390872
Test: Builds with -Wconditional-initialize
Change-Id: I14b9316ca392f299745342d61e4fd45ab8e9e307
 2019-05-08 17:14:34 -07:00
Maciej Żenczykowski
fbae4d9b35 Merge "selinux - remove clatd tun creation privs" 2019-05-09 00:11:29 +00:00
TreeHugger Robot
24c34d9379 Merge "Move ro.boot.dynamic_partitions to vendor" into qt-dev 2019-05-08 23:28:51 +00:00
Hridya Valsaraju
8dcf89b41d Merge "Move ro.boot.dynamic_partitions to vendor" am: 5a883148a0 
am: 252fae8c15

Change-Id: I8da6567c2d3e77136295da0c5502e5c18f2792b7
 2019-05-08 15:30:21 -07:00
Hridya Valsaraju
252fae8c15 Merge "Move ro.boot.dynamic_partitions to vendor" 
am: 5a883148a0

Change-Id: I6abface2f70338c68968f3450608034687e20e5f
 2019-05-08 15:10:00 -07:00
Hridya Valsaraju
033177893f Move ro.boot.dynamic_partitions to vendor 
VTS tests are run after flashing a GSI image on the device.
The properties ro.boot.dynamic_partitions and ro.boot.dynamic_partitions_retrofit
are currently placed in product partition and will be overwritten by the GSI image.
We need to move these properties to vendor partition so that they will be available
even after the device is flashed with GSI.

Bug: 132197773
Test: build and flash, adb getprop ro.boot.dynamic_partitions
Change-Id: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
Merged-In: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
 2019-05-08 21:40:48 +00:00
Treehugger Robot
5a883148a0 Merge "Move ro.boot.dynamic_partitions to vendor" 2019-05-08 21:39:26 +00:00
Maciej Zenczykowski
4fc92da9db [automerger skipped] Merge "mtp: support using pppox_socket family" into qt-dev 
am: 036a9b36a6 -s ours
am skip reason: change_id I8ac4c2f98f823120060e51438b39254898f4a27e with SHA1 8fa5ebdee7 is in history

Change-Id: I231eaa6f3cd4be79429dc16c202c2179e618095e
 2019-05-08 12:57:00 -07:00
Maciej Zenczykowski
036a9b36a6 Merge "mtp: support using pppox_socket family" into qt-dev 2019-05-08 19:13:37 +00:00
Maciej enczykowski
731d07c202 mtp: support using pppox_socket family am: 8fa5ebdee7 
am: f1c7d23882

Change-Id: I0044d11bdce37045771f401920955cb5d9e98e33
 2019-05-08 06:13:51 -07:00
Maciej enczykowski
f1c7d23882 mtp: support using pppox_socket family 
am: 8fa5ebdee7

Change-Id: Ic59e960eaf1121cafa224ef4edccd87baf76532c
 2019-05-08 06:08:36 -07:00
Maciej Żenczykowski
7f4b50e306 mtp: support using pppox_socket family 
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).

Modify the mtp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).

Bug: 130852066
Test: compiles
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8ac4c2f98f823120060e51438b39254898f4a27e
Merged-In: I8ac4c2f98f823120060e51438b39254898f4a27e
(cherry picked from commit 8fa5ebdee7)
 2019-05-08 06:01:58 -07:00
Maciej Żenczykowski
3e41b297d2 selinux - remove clatd tun creation privs 
No longer needed, since this is now done by netd.

In a separate commit so it can potentially not be backported to Q
if we so desire.

Test: build/installed on crosshatch with netd/clatd changes,
  and observed functioning ipv4 on ipv6 only network with no
  avc denials

Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
 2019-05-08 10:22:48 +00:00
Maciej Żenczykowski
8fa5ebdee7 mtp: support using pppox_socket family 
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).

Modify the mtp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).

Bug: 130852066
Test: compiles
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8ac4c2f98f823120060e51438b39254898f4a27e
 2019-05-08 01:16:38 -07:00
Hridya Valsaraju
761ce69a25 Move ro.boot.dynamic_partitions to vendor 
VTS tests are run after flashing a GSI image on the device.
The properties ro.boot.dynamic_partitions and ro.boot.dynamic_partitions_retrofit
are currently placed in product partition and will be overwritten by the GSI image.
We need to move these properties to vendor partition so that they will be available
even after the device is flashed with GSI.

Bug: 132197773
Test: build and flash, adb getprop ro.boot.dynamic_partitions
Change-Id: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
 2019-05-07 16:16:27 -07:00
android-build-team Robot
b8f90dd88f Snap for 5450365 from 3feb8646fe to pi-platform-release 
Change-Id: Icbb75c9f25dd427831213396a6b0064cdb83e271
 2019-05-07 21:49:04 +00:00
Maciej enczykowski
9a8c1648cb [automerger skipped] selinux - allow netd to create tun device and pass it in via open fd across execve to clatd cli 
am: 532980fb0b -s ours
am skip reason: change_id Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306 with SHA1 6450e0038b is in history

Change-Id: I10dcd1aaa9a52c3a0c072df120a275fabb005f69
 2019-05-07 10:07:43 -07:00
Maciej enczykowski
532980fb0b selinux - allow netd to create tun device and pass it in via open fd across execve to clatd cli 
This is needed to resolve some race conditions between clatd startup and interface naming/numbering.

This resolves:
  type=1400 audit(): avc: denied { read write } for comm="Binder:820_4" name="tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { open } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { ioctl } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 ioctlcmd=0x54ca scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { create } for comm="Binder:820_4" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tun_socket

Test: built/installed on crosshatch with netd->clatd tunfd passing and observed no selinux denials
Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306
Merged-In: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306
(cherry picked from commit 6450e0038b)
 2019-05-07 10:29:15 +00:00
Nick Kralevich
cb2291e151 [automerger skipped] ppp: support using pppox_socket family 
am: 64aa71a430 -s ours
am skip reason: change_id I00cc07108acaac5f2519ad0093d9db9572e325dc with SHA1 e9cafb91d2 is in history

Change-Id: I628299e76a69617b73f4be8588f9fae83f5f0e88
 2019-05-06 19:17:55 -07:00
Maciej Żenczykowski
501ccd8931 Merge "dontaudit su unlabeled:vsock_socket *" am: 3e034a2270 
am: 72ec9fca61

Change-Id: I7ef11b0826f8acb9d60bf9deabb557196fbccd11
 2019-05-06 19:14:20 -07:00
Maciej Żenczykowski
72ec9fca61 Merge "dontaudit su unlabeled:vsock_socket *" 
am: 3e034a2270

Change-Id: I5b5b5e345eac439cf1724741dee7b483095d118e
 2019-05-06 18:28:58 -07:00